Story image

Southeast Asian govt firms targeted by Sowbug cyberespionage group

08 Nov 17

Southeast Asian and South American governments are under fire from a well-resourced cyberespionage group called Sowbug.

The group has been targeting government entities across the two regions and has already infiltrated organisations in Malaysia, Brunei, Argentina, Brazil, Ecuador and Peru.

Symantec Security Response researchers have been tracking the group’s movements, which first started in March 2017. The group itself may have been active since at least early 2015.

The group conducts surveillance. It also steals documents from the infiltrated organisations by bundling them in RAR archives and then extracting the archives later on.

Its other tactics include mining remote shared drives to grab remote shares owned by the targeted organisation.

Researchers believe the group is well-resourced and able to infiltrate many targets at once. It also operates outside the normal working hours of the targeted organisations, a strategy that may help them maintain a low profile.

In 2016, the group infected an organization based in Asia through the Felismus backdoor (Backdoor.Felismus). It then collected system information as part of a reconnaissance mission. Four days later the group installed another tool. These actions allowed the Felismus to spread from the initial computer across the network.

“In this case, the attackers maintained a presence on the target’s network for nearly six months between September 2016 and March 2017,” researchers say.

Sowbug uses methods such as impersonating software packages like Windows or Adobe Reader as part of its attack methods, but has never compromised the genuine software.

Because its tools have similar filenames and installs directory trees that could be mistaken for legitimate software, attackers are able to ‘hide in plain sight’.

However, Symantec researchers are not sure how Sowbug infiltrates a target’s networks.

“In some cases, there was no trace of how Felismus made its way onto compromised computers, meaning it was likely deployed from other compromised computers on the network,” they state.

Inother cases, a tool called Starloader (Trojan.Starloader) installs and decrypts data from a file called Stars.jpg.

It also used other tools including credential dumpers and keyloggers as part of its attack process.

“It is still unknown how Starloader is installed on the compromised computer. One possibility is that the attackers use fake software updates to install files. Symantec has found evidence of Starloader files being named AdobeUpdate.exe, AcrobatUpdate.exe, and INTELUPDATE.EXE among others. These were used to create versions of the Felismus backdoor as well as other tools,” researchers state.

Symantec warns that cyberespionage attacks are often seen in Asia. The number of cyberespionage campaigns are increasing: Sowbug’s existence demonstrates that no region is immune to threats.

Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
Exclusive: Fileless malware driving uptake of behavioural analytics
Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).